The Latest Supply Chain Risk – Your Desk Phone
Senator Chris Van Hollen (Maryland) wrote a letter to Commerce Secretary Raimondo asking what she planned to do about this security vulnerability – the first we are hearing about it. Raimondo could ban the equipment, just like equipment made by Huawai and others.
Chinese electronics maker Yealink is not a household word like Huawei, but it may soon be.
Yealink’s phones are, apparently, popular in the United States, including at government agencies – federal, state and local, but they might have just a few security concerns.
Van Hollen’s letter references a report by Virginia-based Chain Security that scopes out hardware risk for a living.
The report says that Yealink’s Device Management Platform or DMP is what allows users to make calls and administrators to manage the phones.
HOWEVER, it also allows Yealink to secretly record those calls and also, for computer based phones, to track which websites users are visiting.
Concerned yet?
It turns out that even if you are using a physical phone, if the computer gets to the network through the phone, the phone can still track what websites you are visiting. Actually not CAN track you; rather it should be IS tracking you.
While it is unknown, it is suspected that Yealink is a Sysadmin for the DMP, hence has to power to do anything that any other admin can do.
Yealink’s service agreement requires users (like US Government employees with one of their phones on his or her desk) to accept China’s laws, including a term that allows for the active monitoring of users when required by the ‘national interest’ of China.
The phone also does not digitally sign software updates, so if someone can convince the phone to accept an update, it has no way of knowing whether that update is legitimate or not.
Even scarier is Verizon’s response to this revelation: A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”
Does that mean that Verizon is in cahoots with China?
If all of this wasn’t bad enough, the phone sends encrypted messages to China three times a day.
The Commerce Department responded to the Senator saying that they take this stuff seriously.
Whatever the hell that means.
My guess is that this is probably not a lot different than other tech that may be in your office or home – which means that you might want to be more aggressive in reviewing the security of those tech toys.
Credit: Defense One